CVE-2023-6958: 
WordPress vulnerability analysis and mitigation

The WP Recipe Maker plugin for WordPress was found to contain a Stored Cross-Site Scripting vulnerability (CVE-2023-6958) affecting all versions up to and including 9.1.0. The vulnerability was discovered and reported by Wordfence, with the initial disclosure made on January 18, 2024 (Wordfence Advisory).

The vulnerability stems from insufficient input sanitization and output escaping on user-supplied attributes in the plugin's shortcode(s). The severity of this vulnerability has been assessed with a CVSS v3.1 base score of 5.4 (Medium) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while Wordfence assessed it with a score of 6.4 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page, potentially compromising user data and website security (NVD).

A patch has been released to address this vulnerability. Users are advised to update their WP Recipe Maker plugin to a version newer than 9.1.0 (WordPress Patch).